In 2024, Total Fitness exposed the personal information of 470,000 members and staff. However, this breach wasn’t the result of sophisticated hackers. Instead, it was caused by Total Fitness failing to secure its own database.
The Total Fitness data breach 2024 could have been prevented
The Total Fitness data breach came to light after a cybersecurity researcher discovered an unprotected online database, meaning anyone could have accessed its contents.
The unprotected database contained highly sensitive information, including:
- Photographs of members and staff
- Identity documents, such as passports and driving licenses
- Bank and payment card details
- Phone numbers
- Immigration records
Some of the personal images were of children, while one of the images was linked to a gym member’s OnlyFans page.
This level of data exposure is extremely serious, particularly for individuals whose identity documents and financial details were made vulnerable. This security failure raises serious concerns about how Total Fitness stores sensitive customer information and whether the company is taking its data protection responsibilities seriously.
According to one report, it’s unknown how long the database was left open without password protection, or if it had been previously accessed by any threat actors.
Why is this breach worse than the 2021 Total Fitness cyber-attack?
In 2021, Total Fitness was the victim of a cyber-attack, where hackers actively breached its systems to access customer data. While this incident exposed weaknesses in the company’s cybersecurity, it at least involved an external attack rather than an internal failure. However, the 2024 breach is arguably more concerning, as it happened due to sheer negligence rather than an intentional attack.
By failing to secure its database, Total Fitness left nearly half a million individuals’ data openly accessible. This means that, for an unknown period, anyone with basic technical knowledge could have accessed, copied, or misused this information without restriction or detection. That this breach was completely preventable and highlights a fundamental failure in Total Fitness’s internal security protocols, suggesting a lack of oversight, inadequate data protection measures, and a failure to learn from past mistakes.
Furthermore, because this database was publicly exposed, it is impossible to know who may have accessed the information and how long it was available. Hackers, scammers, or identity thieves could have retrieved customer and employee details without leaving a trace. Unlike a cyber-attack, where forensic investigators can often track who was behind the breach, this data exposure may have no digital footprint.
However, Total Fitness isn’t off the hook for the earlier breach either. The 2021 cyber-attack already raised serious concerns about the company’s ability to protect customer data. Following that incident, one would expect Total Fitness to strengthen its security infrastructure, implement stronger data encryption, and introduce tighter access controls to prevent future breaches. Instead, some lawyers believe the company failed to take the necessary steps to ensure member and staff data was secure.
This raises an even bigger question: if Total Fitness allowed a data breach of this scale to occur in 2024, what other security risks still exist within the company’s systems? If a basic failure like leaving an unsecured database exposed could affect almost half a million people, what other vulnerabilities could be putting members at risk?
For those affected, the repeated failures by Total Fitness demonstrate a clear disregard for customer privacy and data security. Whether they were impacted in 2021, 2024, or both breaches, victims now face a real risk of identity theft, fraud, and financial exploitation – all because of a company that should have done more to protect them.
What should affected individuals do?
If your data was exposed in either the 2021 or 2024 Total Fitness breach, you should:
- Monitor your financial accounts for any suspicious activity.
- Be cautious of phishing emails or fraudulent calls.
- Check if you are eligible for compensation due to Total Fitness’s security failures.
Legal action has been launched to hold Total Fitness accountable for its repeated data breaches. If you were affected, you may have a right to compensation.
